CVE-2013-2639

medium

Published 2014-02-11 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Cross-site scripting (XSS) vulnerability in CTERA Cloud Storage OS before 3.2.29.0, 3.2.42.0, and earlier allows remote attackers to inject arbitrary web script or HTML via the description in a project folder.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-31517 webapps php text · 2 KB

Luigi Vezzoso · 2014-02-07

CTERA 3.2.29.0/3.2.42.0 - Persistent Cross-Site Scripting

text exploit Source: Exploit-DB

# Exploit Title: [CTERA Project Folders -  Stored XSS]
 
# Date: [11-Mar-2013]
# Exploit Author: [Luigi Vezzoso]
# Vendor Homepage: [http://www.ctera.com]
# Version: [3.2.29.0 and 3.2.42.0 ]
# Tested on: [ctera os]
# CVE : [CVE-2013-2639]
 
#OVERVIEW
Standard Ctera User can define a particular “description” for a ProjectFolder that cause javascript code execution and HTML injection. 
 
#INTRODUCTION
CTERA Networks (http://www.ctera.com)bridges the gap between cloud storage and local storage, providing optimized performance and end-to-end security. Our solutions accelerate deployment of cloud services and eliminate the costs associated with file servers, backup servers and tape drives. Service providers and enterprises use CTERA to deliver services such as backup, file sync and share, mobile collaboration, managed NAS and cloud on-ramping, based on the cloud infrastructure of their choice.
 
#VULNERABILITY DESCRIPTION
User can forge particular description on Project Folder that permit XSS, HTML Injection (add of link, images, button ecc). As the project folder can be shared with different users that vulnerability permit the grabbing of sessions cookies.
 
For test the vuln: Create a Project Folder with the following description (the particular path depend of firmware version)

</xml><img src="https://192.168.3.2/admingui/common.3.2.29.291012114828/script/ext/resources/images/default/grid/loading.gif" onload="alert(document.cookie);">
<xml>



#VERSIONS AFFECTED
Tested on CTERA Cloud Storage OS version 3.2.29.0 and 3.2.42.0 
 
#SOLUTION
The vendor mark as resolved on latest CTERA version 4.x
 
#CREDITS
Luigi Vezzoso 
email:  luigivezzoso@gmail.com
skype:  luigivezzoso

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.